johannes at kyriasis.com
Sat Oct 4 14:00:09 UTC 2014
>> Use GPG to verify the integrity of the download and calculate the
>> checksum locally for yourself. Users of your package have to trust you
>> anyway, as you can basically do anything to your package, anyway.
>> Best regards,
>> Karol Babioch
>OK, you have a point, understood.
For reference, a PGP signature is a hash of the file encrypted with the
public key, so that people that have the public key can decrypt the hash
and verify that the file they have is the one that upstream published.
PGP Key ID: 0x50FB9B273A9D0BB5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 1495 bytes
Desc: not available
More information about the aur-general